Closed thomaszbz closed 1 year ago
What are the full HTTP headers for the non-functional server?
And what DNS server is returning 138.199.37.226 for packages.sury.org
?
I’m pretty much sure you should not be getting this IP address from the DNS.
http headers:
curl --insecure -v https://packages.sury.org
* Trying 138.199.37.226:443...
* Connected to packages.sury.org (138.199.37.226) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.storage.bunnycdn.com
* start date: Jun 2 00:00:00 2022 GMT
* expire date: Jun 2 23:59:59 2023 GMT
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5620613672e0)
> GET / HTTP/2
> Host: packages.sury.org
> user-agent: curl/7.74.0
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< server: nginx
< date: Sun, 09 Apr 2023 12:13:39 GMT
< content-type: text/html
< access-control-allow-headers: AccessKey, Content-Type
< access-control-allow-methods: GET, DELETE, POST, PUT, DESCRIBE
< access-control-allow-origin: *
My hosting provider is netcup, by using their DNS, I get similar IP adresses. Source: https://www.netcup-wiki.de/wiki/Nameserver
dig @2a03:4000:8000::fce6 packages.sury.org
; <<>> DiG 9.16.37-Debian <<>> @2a03:4000:8000::fce6 packages.sury.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65184
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;packages.sury.org. IN A
;; ANSWER SECTION:
packages.sury.org. 1277 IN CNAME debsuryorg.b-cdn.net.
debsuryorg.b-cdn.net. 34 IN A 138.199.37.230
;; Query time: 4 msec
;; SERVER: 2a03:4000:8000::fce6#53(2a03:4000:8000::fce6)
;; WHEN: Sun Apr 09 14:20:02 CEST 2023
;; MSG SIZE rcvd: 96
openssl s_client -connect 138.199.37.230:443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.b-cdn.net
verify return:1
---
Certificate chain
0 s:CN = *.b-cdn.net
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGKzCCBROgAwIBAgIRAN3tSLE+HqA5g+gzqyw17wcwDQYJKoZIhvcNAQELBQAw
gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE
AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0yMjExMDcwMDAwMDBaFw0yMzExMTEyMzU5NTlaMBYxFDASBgNVBAMMCyou
Yi1jZG4ubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoFoCscsM
rUA9wzdIN9JFKMencQVrlKbUjF+dro8SlTDkD33X4yjOqWizQsEP2lvZz+xSwJlQ
riGA5GeFucZnxX55oqkBw4krY/d++nZD1CtCYnd2ziMaQbE3lWfM/IWs5MSayN2f
hmrwXOFV2fI8bqWualMCU3JZVM6TzOTGtnyl6r/MqUBlPSzGTfpAZyqGogtlycpb
o9ok7Cill6jsFbuvCDEV8l1pUBRGfcw44XkYm06YYGaq8mfKDs4XdPm7i8BERxR2
SH+Al/cchdLrp5sBvZ1G7PITbPjBOe5UD+HYEgcEt6aOYrsUtbarrAcz1D7BM5Uw
doYpQGgco8/o6QIDAQABo4IC+DCCAvQwHwYDVR0jBBgwFoAUjYxexFStiuF36Zv5
mwXhuAGNYeEwHQYDVR0OBBYEFHJkQS6GBEfQeyghp3FIDAmA3v+OMA4GA1UdDwEB
/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgIHMCUwIwYIKwYBBQUHAgEWF2h0
dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBhAYIKwYBBQUHAQEEeDB2
ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29SU0FE
b21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCMGCCsGAQUFBzABhhdo
dHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAhBgNVHREEGjAYggsqLmItY2RuLm5ldIIJ
Yi1jZG4ubmV0MIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdQCt9776fP8QyIud
PZwePhhqtGcpXc+xDCTKhYY069yCigAAAYRQdIa2AAAEAwBGMEQCICFe90uotYIH
X19Vt7E86/leb9RL4iyy0VvQR16voJvQAiBMnLdp2JZacPoeBnOH2JOk6hO487X5
+TYKlDCCe8InygB2AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAAB
hFB0hr0AAAQDAEcwRQIgSkjQDZ7/tHLJnR9X1nPeCw+bF0+i7xryVX7RvHjX/rkC
IQCbG77unfPxSYPcSN/Vmxq8s+qnS+AgO5ozmedodc5AYgB3AOg+0No+9QY1MudX
KLyJa8kD08vREWvs62nhd31tBr1uAAABhFB0hpgAAAQDAEgwRgIhAMZaoQj2W+6l
wOn2squcKG6rI6FbA6HdddiSax2Y27G+AiEAzvFzIMv8Onwt+FVg/lNd6nS3w7B7
bhLpABgHsvHKbxUwDQYJKoZIhvcNAQELBQADggEBAHB+55wCUJ5rVOgILUh27M8r
Y+Vs7rpT2XXMnF9Q1Mx71Aq8CdILqi9JEUF9j5bTR91Mm3oLarQzu4fyOmYlzxa0
6E+SYGW43HhfGZNr2k6ZU3y//zx/x8ZfIBjo25AGevZhHPts+HRyjtYaJgYm82W3
jK5fn579LKbm2cS0ULv4Wh6jNQlbpEFwqu56RIwbe05rLrfm4yVqk9OhaHBqXRon
5PWybWAskLxk1m+AT5ixF3Db3Z+luVd8S/VLKwE2N8ecQZ/VW2GUIul89I1OqJI7
GuOl5CnvIiYWFmPwCyBN5eUqk2zpywQiRFLX6DEoNXw99LDODT1to7KqS91hqds=
-----END CERTIFICATE-----
subject=CN = *.b-cdn.net
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5121 bytes and written 363 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 6F3D988DAF860A5E94E607AE9FA2C658B5CF4FE4F8C1A9FD2FC60F2FCFC7A715
Session-ID-ctx:
Resumption PSK: 6FAB1CCF96441CDAB3B078E04AE78F19CC444933983A487E37B699AB71E35BB04945C8BEA9F29B004856FC4CF1882C40
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 43200 (seconds)
TLS session ticket:
0000 - f5 a1 de c3 10 78 c4 67-d5 67 a7 a5 58 8f c8 62 .....x.g.g..X..b
0010 - 8c 75 c0 5e ce af 02 8e-af b6 c4 c5 28 05 0a 43 .u.^........(..C
0020 - c7 d7 15 cf cd cc 66 18-b2 93 b6 c2 cf 0b 2e 96 ......f.........
0030 - b3 a1 21 ed d7 bd 7a c9-94 77 42 54 71 e0 1f ca ..!...z..wBTq...
0040 - 2b 1b d6 9c 8e 5b a3 ad-5d e9 af b0 97 f3 69 b4 +....[..].....i.
0050 - aa 05 17 d6 d4 fe 00 b5-97 25 44 f1 ce 34 f6 f0 .........%D..4..
0060 - 80 9b 39 c4 9c 38 49 b2-bc 15 b3 a6 17 07 dd 7b ..9..8I........{
0070 - 5f d3 98 89 06 b1 25 23-15 a4 63 2e 52 67 d9 d8 _.....%#..c.Rg..
0080 - 8b 8e 98 b5 54 5f a8 1d-6c 20 a4 1f e9 b3 62 bb ....T_..l ....b.
0090 - d2 8f 43 8b 86 d8 2e 11-59 22 2d 60 af 55 9c 25 ..C.....Y"-`.U.%
00a0 - f4 b2 70 c7 a2 47 6e e5-11 5c 31 4f 37 93 69 5b ..p..Gn..\1O7.i[
00b0 - 0c de b8 5e ee 12 db ae-e1 63 dc 09 8d 36 8e 9d ...^.....c...6..
00c0 - 09 08 c1 40 14 cc 73 12-b5 a0 7c 94 b1 6b f8 cb ...@..s...|..k..
00d0 - d5 f8 b0 78 66 76 fb fb-88 a3 50 fb ad cd cf fb ...xfv....P.....
Start Time: 1681043137
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 9341DE53534F093E82639506E4A096689232FF54D25E9EF97D973752E1D56320
Session-ID-ctx:
Resumption PSK: BDDCFEB494C84AF5D503CDEA4738133FBF9FCDC6351799EAB5BD407A1BABF8A253030AF63F5BC9542E3042DFD95D21D0
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 43200 (seconds)
TLS session ticket:
0000 - f5 a1 de c3 10 78 c4 67-d5 67 a7 a5 58 8f c8 62 .....x.g.g..X..b
0010 - 48 5e 08 9c b2 24 1f e7-02 14 c2 cf 7e aa b2 90 H^...$......~...
0020 - 67 bd 4b 59 d9 e9 c3 9a-c3 87 73 0f 26 b6 4a cd g.KY......s.&.J.
0030 - 76 07 88 e3 de 09 40 36-06 f9 1b c4 c2 91 2f 69 v.....@6....../i
0040 - 88 22 a3 96 97 93 4d ca-a1 11 4a ca e3 c8 80 43 ."....M...J....C
0050 - 2d 73 87 c7 de 7e d3 e0-fa 60 3d 1a e5 6b b6 aa -s...~...`=..k..
0060 - 1d dc b8 bb 99 5e 1c 1e-23 70 f9 f9 46 b0 72 e1 .....^..#p..F.r.
0070 - ae b6 5b ed 0a 6d 5a ee-87 01 2e 78 c5 9c 1e 80 ..[..mZ....x....
0080 - f9 cd 23 4b eb 1a 4e 11-4a b1 52 41 15 70 6a aa ..#K..N.J.RA.pj.
0090 - c1 37 8c 0b 56 64 2c 12-a1 dd b2 96 3f 5f 2b c0 .7..Vd,.....?_+.
00a0 - 37 e4 be 1d 1d ef d2 7a-3d 15 fd 58 b8 0c d5 f3 7......z=..X....
00b0 - fb 40 6c 59 5c e7 26 5d-35 4d 01 a0 5a 33 62 08 .@lY\.&]5M..Z3b.
00c0 - a1 f4 8b 52 04 cb ce 1c-ac c9 97 a5 ac 12 0c 3c ...R...........<
00d0 - 3e b7 8f 56 2d f3 00 4e-cb 6a d1 d8 1d 84 7c f0 >..V-..N.j....|.
Start Time: 1681043137
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
It's the same pattern for 138.199.37.230:
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
depth=0 CN = *.b-cdn.net
Is there some IP adress rotation in place? Maybe a changed IP adress has not been distributed via DNS all over the place when the server with the old IP is already unprovisioned (and TLS certificate replaced) server-side.
openssl s_client -connect 138.199.37.230:443
this is wrong and proves nothing, you need to use SNI.
And that’s different IP address than you are reporting. Where are you getting that IP address (138.199.37.226), if not from DNS?
The server uses three DNS servers, two of them are netcup DNS servers, one of them is google DNS server.
cat /etc/resolv.conf
# NOTE: the libc resolver may not support more than 3 nameservers.
nameserver 46.38.252.230
nameserver 8.8.8.8
nameserver 2a03:4000:8000::fce6
# nameserver 2a03:4000:0:1::e1e6
dig @46.38.252.230 packages.sury.org
; <<>> DiG 9.16.37-Debian <<>> @46.38.252.230 packages.sury.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47107
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;packages.sury.org. IN A
;; ANSWER SECTION:
packages.sury.org. 114 IN CNAME debsuryorg.b-cdn.net.
debsuryorg.b-cdn.net. 35 IN A 138.199.37.232
;; Query time: 12 msec
;; SERVER: 46.38.252.230#53(46.38.252.230)
;; WHEN: Sun Apr 09 14:39:25 CEST 2023
;; MSG SIZE rcvd: 96
dig @8.8.8.8 packages.sury.org
; <<>> DiG 9.16.37-Debian <<>> @8.8.8.8 packages.sury.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34945
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;packages.sury.org. IN A
;; ANSWER SECTION:
packages.sury.org. 3135 IN CNAME debsuryorg.b-cdn.net.
debsuryorg.b-cdn.net. 35 IN A 169.150.247.35
;; Query time: 4 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 09 14:41:02 CEST 2023
;; MSG SIZE rcvd: 96
dig @2a03:4000:8000::fce6 packages.sury.org
; <<>> DiG 9.16.37-Debian <<>> @2a03:4000:8000::fce6 packages.sury.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46232
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;packages.sury.org. IN A
;; ANSWER SECTION:
packages.sury.org. 3577 IN CNAME debsuryorg.b-cdn.net.
debsuryorg.b-cdn.net. 12 IN A 138.199.37.231
;; Query time: 0 msec
;; SERVER: 2a03:4000:8000::fce6#53(2a03:4000:8000::fce6)
;; WHEN: Sun Apr 09 14:41:47 CEST 2023
;; MSG SIZE rcvd: 96
I first thought that the system somehow managed to cache an earlier DNS response from one of the servers, but it's not. Instead, I had an old entry in /etc/hosts which I did not think about:
cat /etc/hosts
[...]
138.199.37.226 packages.sury.org
I removed the entry, and now everything is working fine again (server name now got resolved to 138.199.36.10).
My fault, sorry for filing this issue. Thanks for this comment ("Where are you getting that IP address, if not from DNS?"), it pointed me directly to /etc/hosts.
Thanks for following through and admitting the real cause. Appreciated!
Frequently asked questions
Describe the bug From my ubuntu 18.04 machine with all updates installed, I get a trusted certificate (IPv4 and IPv6):
From my debian 11.6 server (with other internet provider and other DNS provider), I get a TLS certificate error:
To Reproduce Steps to reproduce the behavior:
Your understanding of what is happening For IP 138.199.37.226, a different IP adress is used. For this IP, I get the wrong certificate
instead of
This should be reconfigured server-side.
SNI is not used for 143.244.50.88 (another IP!), according to https://www.ssllabs.com/ssltest/analyze.html?d=packages.sury.org&s=143.244.50.88&hideResults=on
What steps did you take to resolve issue yourself before reporting it here Nothing, must be reconfigured server-side
Expected behavior All (!) IP adresses in use for deb.sury.org should respond with a TLS certificate which is valid for deb.sury.org.
Distribution (please complete the following information):
Package(s) (please complete the following information): php
Additional context Related (but this reads as if the Let's Encrypt CA certificate has not been installed):